CVE-2026-45000 Overview
CVE-2026-45000 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in OpenClaw versions before 2026.4.20. The flaw resides in the browser Chrome DevTools Protocol (CDP) profile creation path, which skips strict-mode SSRF policy enforcement when profiles are created. Attackers with low-privileged access can persist profiles referencing private-network addresses or cloud metadata endpoints. Those stored targets are subsequently probed during normal profile status operations, producing unauthorized internal requests.
Critical Impact
Authenticated attackers can store browser CDP profiles that bypass SSRF policy checks and trigger internal network requests during routine profile operations.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.20
- Deployments using the extensions/browser CDP integration
- Configurations relying on ssrfPolicy strict-mode enforcement
Discovery Timeline
- 2026-05-11 - CVE-2026-45000 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45000
Vulnerability Analysis
The vulnerability exists in OpenClaw's browser extension, which integrates with remote browsers via the Chrome DevTools Protocol. When a user creates a browser profile, the resolver path constructs a CDP reachability policy without applying the strict SSRF policy checks used elsewhere in the application. Stored profiles can therefore reference hostnames or IP addresses that the SSRF policy would normally reject, such as 127.0.0.1, RFC1918 ranges, or cloud metadata services like 169.254.169.254.
Later, when the application performs status or health probes against stored profiles, the resolved policy effectively allowlists the configured cdpHost, causing outbound requests to internal endpoints. The result is an SSRF primitive that operates indirectly, leveraging persisted profile data rather than direct request input.
Root Cause
The original resolveBrowserSsrFPolicy function merged caller-supplied extraAllowedHostnames into the policy unconditionally. The CDP host was added to the allowlist regardless of whether allowPrivateNetwork or dangerouslyAllowPrivateNetwork was enabled. This permitted private-network destinations to slip through strict mode by appearing in allowedHostnames.
Attack Vector
An attacker with permission to create or modify browser profiles supplies a cdpHost referencing an internal address. The profile is persisted. During normal profile status operations, OpenClaw issues HTTP requests to that host, bypassing the SSRF guardrails intended to block private-network access.
// Patch: scope CDP host allowlist to honor strict SSRF policy
-import type { SsrFPolicy } from "../infra/net/ssrf.js";
+import { isPrivateNetworkAllowedByPolicy, type SsrFPolicy } from "../infra/net/ssrf.js";
import type { ResolvedBrowserProfile } from "./config.js";
import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
+function withCdpHostnameAllowed(
+ profile: ResolvedBrowserProfile,
+ ssrfPolicy?: SsrFPolicy,
+): SsrFPolicy | undefined {
+ if (!ssrfPolicy || !profile.cdpHost) {
+ return ssrfPolicy;
+ }
+ if (isPrivateNetworkAllowedByPolicy(ssrfPolicy)) {
+ return ssrfPolicy;
+ }
+ return {
+ ...ssrfPolicy,
+ allowedHostnames: Array.from(
+ new Set([...(ssrfPolicy.allowedHostnames ?? []), profile.cdpHost]),
+ ),
+ };
+}
+
export function resolveCdpReachabilityPolicy(
profile: ResolvedBrowserProfile,
ssrfPolicy?: SsrFPolicy,
Source: GitHub commit 1fd049e
Detection Methods for CVE-2026-45000
Indicators of Compromise
- Outbound HTTP requests from the OpenClaw process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback addresses
- Connections to cloud metadata endpoints such as 169.254.169.254 originating from OpenClaw workers
- Stored browser profiles containing cdpHost values pointing to internal-only hostnames
Detection Strategies
- Audit persisted browser profile records for cdpHost values that resolve to private or link-local IP space
- Monitor process-level network telemetry for OpenClaw services contacting non-public destinations
- Inspect application logs for repeated profile status probes targeting unusual hosts
Monitoring Recommendations
- Forward OpenClaw process network events to a centralized analytics platform for correlation
- Alert on creation events for profiles whose cdpHost fails SSRF policy validation
- Track version inventory to confirm hosts run OpenClaw 2026.4.20 or later
How to Mitigate CVE-2026-45000
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which scopes the CDP host allowlist to strict SSRF policy
- Review existing browser profile records and remove any with cdpHost values pointing to internal networks
- Restrict who can create or modify browser profiles to trusted operators only
Patch Information
The fix is delivered through two upstream commits. Commit 1fd049e scopes the CDP host allowlist by introducing withCdpHostnameAllowed, which respects isPrivateNetworkAllowedByPolicy before allowlisting the configured host. Commit e90c89c refactors resolveBrowserSsrFPolicy to accept and merge extra allowed hostnames cleanly. See the GitHub Security Advisory GHSA-j4c5-89f5-f3pm and the VulnCheck Advisory on SSRF for additional detail.
Workarounds
- Set ssrfPolicy.allowPrivateNetwork to false and avoid dangerouslyAllowPrivateNetwork until patched
- Place OpenClaw workers behind an egress proxy that blocks RFC1918 and link-local destinations
- Restrict outbound network ACLs on OpenClaw hosts so they cannot reach cloud metadata services
# Example egress restriction using iptables to block metadata and private ranges
iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
